Spoofing â whether in the form of DNS, legitimate email notification, IP, address bar â is a common part of Web threats. Weâve seen its several incarnations in the past, but we recently found a technique known as header spoofing, which puts a different spin on evading detection.
Header spoofing is when a URL appears to be downloaded from a certain domain, but in reality it is downloaded from a different and (very likely) malicious one. Unlike other types of spoofing techniques, this action is done without any system or file modification. Instead, header spoofing is performed by modifying the network packet, in particular adding the new domain to the request header once malware has connected to server and right before it sends the data. My colleague Jessa dela Torre mentioned this behavior in her research on the StealRat botnet.